On 03/18/11 17:02, Dan Nelson wrote:
In the last episode (Mar 18), O. Hartmann said:
I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
UBUNTU 10.10 server (using openldap 2.4.23).
Most of the installation on the Ubuntu server has been successfully done
(I'm not familiar with Linux, but it seems that things like pam and ldap
are quite similar to FreeBSD's installation).
From the Linux/Ubuntu server, I'm able to get all users and groups via
'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
user is successfully.
But when it comes to a login via sshd, login fails with this error
(loged on Linux Ubuntu in /var/log/auth.log):
Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from
192.168.0.128 port 40734 ssh2
Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user
"uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
"Confidentiality required" means that the server is refusing to authenticate
over a non-encrypted connection. Try switching pam_ldap to ldaps (in your
pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
"ssl on") and see if that works.
Well,
I tried several things now and I do not understand this world anymore :-(
For short again: The conceptional setup I use is a working concept
within all FreeBSD boxes around here autheticating users via our
OpenLDAP server, also ran by FreeBSD (8.2-STABLE/amd64).
On the Linux/Ubuntu 10.10 server I tried the following:
ldapsearch:
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: TLS confidentiality required
ldapsearch -xZ:
...listing of the DIT of the LDAP server
looking up an user ID definitely within the DIT: positive response from
the LDAP server.
I also can obtain passwd/group informations via
getent passwd/group.
I also checked the connection to the LDAPserver with the SSL credetials by
openssl s_client -connect LDAPserver:636 -showcerts
and receive a lot of informations
CONNECTED(00000003)
depth=1 /C [...]
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=DE/ST [...]
-----BEGIN CERTIFICATE-----
MIIDljCCAv+gAwIBA [...]
-----END CERTIFICATE-----
1 s:/C [...]
i:/C=DE [...]
-----BEGIN CERTIFICATE-----
MIIDojCC[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C [...]
issuer=/C [...]
---
No client certificate CA names sent
---
SSL handshake has read 2175 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
2FCAD4AAFD18AD13013AE6A8BFF872036DAC94174F0DE626E8FF0C7F98FC7EE3
Session-ID-ctx:
Master-Key: XXXXX
Key-Arg : None
TLS session ticket:
0000 - b5 48 c7 cc 09 99 fb a5-0e 1e 75 1b 4f aa a1 69
.H........u.O..i
0010 - 37 a5 4f c7 [...]
Start Time: 1300547707
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
I guess this signals everything is all right with the certificate
connecting via SSL/TLS.
I'm not familiar with Linux/Ubuntu's PAM setup, the setup has been done
via apt-get/installation of the appropriate tools and facilities (ldap,
pam_ldap, nss_ldap). I've no idea what's going wrong ...
There is also some kind of weirdness around here. While login in via ssh
(or better: trying to login via ssh), I received this:
Mar 19 16:44:39 freyja sshd[1625]: Did not receive identification string
from 125.88.109.121
Mar 19 16:44:40 freyja sshd[1623]: Failed password for ohartmann from
XXX.XXX.XXX.XXX port 52686 ssh2
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session
closed for user root
IP 125.88.109.121 is located in China, 125.88.109.121 Server Details
IP address:
125.88.109.121
Server Location:
Guangzhou, Guangdong in China
ISP:
ChinaNet Guangdong Province Network
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
